Managing cyber security risk can seem a daunting and confusing task for organisations who are either looking to deliver something for the first time or who are looking to improve their existing practices. Organisations have been producing risk management frameworks for years and whilst cyber security can be complex and challenging, it should not detract you from commencing risk activities or seeking assurance from your security and compliance teams. We have put together a list of key factors to consider when looking at cyber security risk;
- Understand What You Are Trying To Protect From A Business Perspective
It is key to understand what you are actually trying to protect before deciding how you are going to protect it. Some organisations completely skip this step and start to move straight into understanding what threats they face and if they have the technical capability to prevent an attack, without properly grasping what exactly is at risk in the first place and what is the impact, if that risk were to be realised. This activity should form the foundation of your risk management activity. You can start to assess the business aspect of understanding what you are trying to protect by asking some key questions, such as;
- What key data are we trying to protect?
- What critical systems and services do we have?
- How resilient do we want to be if the identified data, systems and services become unavailable?
- What would the impact to the organisation be if our data was breached and/or systems were compromised?
In addition, we also recommend documenting the core services your business provides, the systems that support these services, the data processed on these systems and the associated employees/suppliers managing and accessing these systems. Once you have documented these areas of your business, you can then start to assess the level of negative impact on your business, should these areas be compromised, and then plan appropriate risk mitigation.
- Understand What You Are Trying To Protect From An IT Perspective
There is also the aspect of understanding what you are protecting from an IT perspective, so that you have a solid understanding of what IT you have and subsequently what technical controls and measures need to be put in place to manage the IT operationally and from a security perspective. Some key considerations here are;
- What operating systems do we have and how are they managed?
- Do we have an inventory of the physical, software and data assets we process?
- How do we control software installation, updates and configuration?
- Are we able to identify when or if an unauthorised device connects to our network?
Answering these types of questions and addressing any shortcomings that may arise from them is key to building the right foundation for risk assessment, risk mitigation and forming an effective cyber security strategy.
- Understand The Threats Your Organisation Faces
Dependant on whether you decide to assess risks at a component level (individual systems or devices) or a system or service level (IT network or wider set of interconnected components communicating with each other) you should seek to understand and assess the different attack vectors and threats most relevant to your risk assessment. There are several ways in which this can be achieved, one good way is to get your teams conducting some form of threat modelling activity.
Threat modelling can add value to component or system level assessments and can also be an important part of the systems deployment process. Here are some actions and areas worth reviewing when it comes to threat modelling;
Devising a threat list – Some approaches take a gamification approach using cards that depict threats, others use frameworks such as STRIDE to generate threats. Either way, working with a few members of your organisation to draft typical threats to your individual system or network will enable you to start understanding ways in which your organisation could be compromised. It is important here not to miss out insider threats.
Mitigating threats – Once you have a list of threats, you can start to map the threat scenarios, as the same threat could seek to compromise your organisation via many different paths. Each aspect of an attack should be contrasted against your organisation’s existing controls. For example, how do you mitigate the risks of your privilege users extracting all your customer data from an internal database? Initially, this seems an impossible threat to mitigate, but working across all your teams there are measures that can be taken to mitigate this type of risk. Threat modelling usually centres around the following:
Assets – Asset centric models tend to focus on three key types:
- Things attackers want
- Things you want to protect
- Stepping stones between the above
Attackers – Attacker centric models focus on the threat agents themselves and tend to utilise attacker/attack lists to generate credible threat agents and attack scenarios.
Software – Software centric modelling is geared towards systems and software development. This form of threat modelling usually deals with lower level components and can help generate comprehensive threat models for more complex systems and services.
- Introduce A Control Framework
Risk assessment, threat modelling and understanding attack vectors are all important parts of an effective risk management and cyber security programme. Improving your security posture is one thing but using security to improve your appeal to clients will also provide tangible business benefit that makes security work for your organisation. Introducing a series of controls to mitigate identified risks will support effective risk mitigation and enable your organisation to apply for industry certifications such as ISO27001, PCI DSS, ISO22301 or to demonstrate compliance against best practice frameworks such as NCSC Minimum Cyber Security Guidance, CIS 20 Critical Controls, NIST Cyber Security Framework or perhaps something specific to cloud computing such as the Cloud Controls Matrix (CCM) and STAR.
Despite all these frameworks having individual pros and cons, they will demonstrate to your clients a level of assurance that is seen in many procurement processes as mandatory. At Bridewell we have developed a Cross Compliance Framework that allows us to integrate multiple frameworks under a single set of controls, which ensures that the primary focus can be on making security improvements over time, not just focussing on individual compliance activities.
- Focus On The Audience
Generally, the CEO does not care whether you have identified 200 attack vectors, multiple validated threats and a series of data exfiltration risks within your cyber security risk assessment processes. However, they will be concerned if your organisation has several critical risks which pose a high chance of your systems being hacked and customer data being stolen. Your Operational Managers or Technical Leads may be more interested in you communicating specific technical or administrative risks to them, so they can investigate further and recommend solutions, but low-level details of every risk should not be discussed at a board level.
Tailoring the articulation of your risks is key to gaining support from relevant stakeholders. You should pay as much consideration in getting this area right as the cyber security risk assessment process, as ultimately it is the presentation and articulation of risk which is key to understanding and gaining support and investment at board level.
This is not an exhaustive list but is just some of the things that would support the effective identification and management of cyber security risks, no matter which industry or organisation you work for.
Bridewell are certified by the National Cyber Security Centre (NCSC) for Risk Assessment and Risk Management and the Council for Registered Ethical Security Testers (CREST) for penetration testing. We provide services across Cyber Security, Information Security and Assurance (covers implementing ISO standards), Penetration Testing and Data Privacy. If you are interested in discussing any of our services, please get in touch via our contact page.